Saturday, June 15, 2024

Kesakode: A Remote Hash Lookup Service To Identify Malware Samples

Today marks a significant milestone for Malcat users with the release of version 0.9.6, introducing Kesakode, a remote hash lookup service.

This innovative tool is tightly integrated into Malcat’s UI and is designed to match known functions, strings, and constant sets against a comprehensive database of clean malware and library files.

This article delves into the features, functionality, and potential use cases of Kesakode.

How Does Kesakode Work?

Indexing Process

According to Malcat’s blog, a vast library comprising over 300 recent malware families and a million unique, clean programs and libraries has been built over the past months.

ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service

This includes the extensive 2000+ malware families corpus from Malpedia. For each sample, three sets of features are extracted:

  1. Function Hashes: Hashes of every interesting function found in the sample, with their absolute offsets masked.
  2. String Hashes: Hashes of every interesting string found in the sample, utilizing Malcat’s scoring system.
  3. Fuzzy Hash: A single fuzzy hash computed over the list of interesting code eeeeeeeee and data constants identified by the constant scanner.

These hashes are stored in a massive relational database linked to their corresponding samples.

How Kesakode computes similarities for your file
How Kesakode computes similarities for your file

Query Time

When a Kesakode query is made, the same three sets of hashes are computed and sent to the matching service.

The cloud service then queries the database to identify if and where these hashes have been seen before. The decision tree used is straightforward:

  • Library Code: If a function hash is found in a library, it is labeled as LIBRARY code, and the library name is returned.
  • Clean Program: The hash is labeled as CLEAN if found in a clean program.
  • Malicious: If only seen in malware, it is labeled as MALICIOUS, and all malware family names where it was found are returned.

For code immediates and data constants, a different approach is taken.

Only malicious samples are focused on a single fuzzy hash summarizing the whole constant/immediate sets is stored.

At query time, this fuzzy hash is compared to its nearest neighbors, and all malware families with a similarity score greater than 80% are returned.

The new Kesakode view in Malcat
The new Kesakode view in Malcat

Kesakode is designed to handle the complexities of malware, often using deception techniques like code obfuscation or data/string encryption.

By using three different sets of features, Kesakode can identify the vast majority of malware samples.

Typical lookup queries take between 1 and 4 seconds, depending on the number of functions and strings in the program.

Users can help improve the database by submitting false positives and negatives with just a few clicks.

Submitting false positives/negatives
Submitting false positives/negatives

Use Cases

Malware Identification

Kesakode’s primary use is malware identification, helping users determine to which malware family a sample belongs.

Unlike public Yara rules, which can be incomplete or outdated, Kesakode uses more patterns for identification.

It works best on unpacked/dumped samples like those from the Triage sandbox.

Tria.ge Sandbox dumps are good targets for precise malware identification using Kesakode
Tria.ge Sandbox dumps are good targets for precise malware identification using Kesakode

Detection Engineering

For detection engineers, Kesakode aids in writing Yara rules by identifying unique portions of code and strings in malware.

The coloring scheme (LIBRARY, MALICIOUS, and CLEAN labels) is applied across Malcat’s views, making it easier to build Yara’s rules.

Data and strings coloring in Malcat after a Kesakode request
Data and strings coloring in Malcat after a Kesakode request

Faster Reverse Engineering

Even for standard application reverse engineering, Kesakode helps identify low-value functions, allowing users to focus on unique parts of the program.

The disassembly view in Malcat labels/colors every known function found in CLEAN programs or LIBRARY, speeding up the reversing process.

Color helpers in disassembly view after a Kesakode request
Color helpers in disassembly view after a Kesakode request

Kesakode is a powerful addition to Malcat, offering a robust solution for identifying malware samples, assisting in detection engineering, and speeding up reverse engineering processes.

With its comprehensive database and efficient query system, Kesakode is set to become an indispensable tool for cybersecurity professionals.

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers

Website

Latest articles

Sleepy Pickle Exploit Let Attackers Exploit ML Models And Attack End-Users

Hackers are targeting, attacking, and exploiting ML models. They want to hack into these...

SolarWinds Serv-U Vulnerability Let Attackers Access sensitive files

SolarWinds released a security advisory for addressing a Directory Traversal vulnerability which allows a...

Smishing Triad Hackers Attacking Online Banking, E-Commerce AND Payment Systems Customers

Hackers often attack online banking platforms, e-commerce portals, and payment systems for illicit purposes.Resecurity...

Threat Actor Claiming Leak Of 5 Million Ecuador’s Citizen Database

A threat actor has claimed responsibility for leaking the personal data of 5 million...

Ascension Hack Caused By an Employee Who Downloaded a Malicious File

Ascension, a leading healthcare provider, has made significant strides in its investigation and recovery...

AWS Announced Malware Detection Tool For S3 Buckets

Amazon Web Services (AWS) has announced the general availability of Amazon GuardDuty Malware Protection...

Hackers Exploiting MS Office Editor Vulnerability to Deploy Keylogger

Researchers have identified a sophisticated cyberattack orchestrated by the notorious Kimsuky threat group.The...
Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles